Re: fscrypt request_module() deadlock

2017-07-18 Thread Herbert Xu 
On Tue, Jul 18, 2017 at 04:17:47PM -0700, Eric Biggers wrote:
> 
> While that should solve the problem, isn't it possible to actually have a 
> module
> which supplies an algorithm like "xts(aes)"?  In that case it wouldn't be
> desirable to instantiate the generic "xts" template.

Well, in the case where only xts and aes are built into the kernel
I think we have to use that instead of going to request_module as
otherwise we cannot avoid the dead-lock that is the subject of this
discussion.

If you want accelerated xts(aes) to work while building generic xts
and aes into the kernel then you should also build the accelerated
xts(aes) into the kernel (or load the manually once modules can be
loaded).

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: fscrypt request_module() deadlock

2017-07-18 Thread Herbert Xu 
On Tue, Jul 18, 2017 at 04:17:47PM -0700, Eric Biggers wrote:
> 
> While that should solve the problem, isn't it possible to actually have a 
> module
> which supplies an algorithm like "xts(aes)"?  In that case it wouldn't be
> desirable to instantiate the generic "xts" template.

Well, in the case where only xts and aes are built into the kernel
I think we have to use that instead of going to request_module as
otherwise we cannot avoid the dead-lock that is the subject of this
discussion.

If you want accelerated xts(aes) to work while building generic xts
and aes into the kernel then you should also build the accelerated
xts(aes) into the kernel (or load the manually once modules can be
loaded).

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: fscrypt request_module() deadlock

2017-07-18 Thread Eric Biggers 
On Tue, Jul 18, 2017 at 02:13:51PM +0800, Herbert Xu wrote:
> On Fri, Jun 30, 2017 at 05:27:34PM +0200, Richard Weinberger wrote:
> > Hi!
> > 
> > David and I faced a deadlock with switch_root when fscrypt was in use.
> > When /sbin/modprobe is encrypted using fscrypt and no other kernel component
> > requested an AES cipher before, first access to an encrypted file will 
> > trigger the
> > module_request() function, which will execute usermode helper 
> > /sbin/modprobe.
> > Is /sbin/modprobe also encrypted the kernel will deadlock because executing
> > it will again enter the module_request() path...
> > 
> > As workaround we currently do something like "ls /new_root > /dev/null" in 
> > our
> > initramfs to make request_module() happen before we change the root 
> > directory
> > to /new_root.
> > 
> > While this workaround is legit we think that this could be handled better.
> > Is there a way to request these ciphers before first usage? Herbert?
> > e.g. such that the filesystem can request them upon mount time.
> > 
> > Btw: This happens even when AES modules are builtins.
> 
> I think you're running into the problem because of templates, where
> the first instantiation will always be preceded by a request_module.
> 
> We should be able to fix this by doing two template probes instead
> of one.  So instead of the current order:
> 
> 1. Look up registered algorithms.
> 2. Request module.
> 3. Find templates (may request module).
> 
> We can do
> 
> 1. Look up registered algorithms.
> 2. Find templates without loading modules.
> 3. Request module.
> 4. Find templates (may request module).
> 

While that should solve the problem, isn't it possible to actually have a module
which supplies an algorithm like "xts(aes)"?  In that case it wouldn't be
desirable to instantiate the generic "xts" template.

Eric

Re: fscrypt request_module() deadlock

2017-07-18 Thread Eric Biggers 
On Tue, Jul 18, 2017 at 02:13:51PM +0800, Herbert Xu wrote:
> On Fri, Jun 30, 2017 at 05:27:34PM +0200, Richard Weinberger wrote:
> > Hi!
> > 
> > David and I faced a deadlock with switch_root when fscrypt was in use.
> > When /sbin/modprobe is encrypted using fscrypt and no other kernel component
> > requested an AES cipher before, first access to an encrypted file will 
> > trigger the
> > module_request() function, which will execute usermode helper 
> > /sbin/modprobe.
> > Is /sbin/modprobe also encrypted the kernel will deadlock because executing
> > it will again enter the module_request() path...
> > 
> > As workaround we currently do something like "ls /new_root > /dev/null" in 
> > our
> > initramfs to make request_module() happen before we change the root 
> > directory
> > to /new_root.
> > 
> > While this workaround is legit we think that this could be handled better.
> > Is there a way to request these ciphers before first usage? Herbert?
> > e.g. such that the filesystem can request them upon mount time.
> > 
> > Btw: This happens even when AES modules are builtins.
> 
> I think you're running into the problem because of templates, where
> the first instantiation will always be preceded by a request_module.
> 
> We should be able to fix this by doing two template probes instead
> of one.  So instead of the current order:
> 
> 1. Look up registered algorithms.
> 2. Request module.
> 3. Find templates (may request module).
> 
> We can do
> 
> 1. Look up registered algorithms.
> 2. Find templates without loading modules.
> 3. Request module.
> 4. Find templates (may request module).
> 

While that should solve the problem, isn't it possible to actually have a module
which supplies an algorithm like "xts(aes)"?  In that case it wouldn't be
desirable to instantiate the generic "xts" template.

Eric

Re: fscrypt request_module() deadlock

2017-07-18 Thread Herbert Xu 
On Fri, Jun 30, 2017 at 05:27:34PM +0200, Richard Weinberger wrote:
> Hi!
> 
> David and I faced a deadlock with switch_root when fscrypt was in use.
> When /sbin/modprobe is encrypted using fscrypt and no other kernel component
> requested an AES cipher before, first access to an encrypted file will 
> trigger the
> module_request() function, which will execute usermode helper /sbin/modprobe.
> Is /sbin/modprobe also encrypted the kernel will deadlock because executing
> it will again enter the module_request() path...
> 
> As workaround we currently do something like "ls /new_root > /dev/null" in our
> initramfs to make request_module() happen before we change the root directory
> to /new_root.
> 
> While this workaround is legit we think that this could be handled better.
> Is there a way to request these ciphers before first usage? Herbert?
> e.g. such that the filesystem can request them upon mount time.
> 
> Btw: This happens even when AES modules are builtins.

I think you're running into the problem because of templates, where
the first instantiation will always be preceded by a request_module.

We should be able to fix this by doing two template probes instead
of one.  So instead of the current order:

1. Look up registered algorithms.
2. Request module.
3. Find templates (may request module).

We can do

1. Look up registered algorithms.
2. Find templates without loading modules.
3. Request module.
4. Find templates (may request module).

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: fscrypt request_module() deadlock

2017-07-18 Thread Herbert Xu 
On Fri, Jun 30, 2017 at 05:27:34PM +0200, Richard Weinberger wrote:
> Hi!
> 
> David and I faced a deadlock with switch_root when fscrypt was in use.
> When /sbin/modprobe is encrypted using fscrypt and no other kernel component
> requested an AES cipher before, first access to an encrypted file will 
> trigger the
> module_request() function, which will execute usermode helper /sbin/modprobe.
> Is /sbin/modprobe also encrypted the kernel will deadlock because executing
> it will again enter the module_request() path...
> 
> As workaround we currently do something like "ls /new_root > /dev/null" in our
> initramfs to make request_module() happen before we change the root directory
> to /new_root.
> 
> While this workaround is legit we think that this could be handled better.
> Is there a way to request these ciphers before first usage? Herbert?
> e.g. such that the filesystem can request them upon mount time.
> 
> Btw: This happens even when AES modules are builtins.

I think you're running into the problem because of templates, where
the first instantiation will always be preceded by a request_module.

We should be able to fix this by doing two template probes instead
of one.  So instead of the current order:

1. Look up registered algorithms.
2. Request module.
3. Find templates (may request module).

We can do

1. Look up registered algorithms.
2. Find templates without loading modules.
3. Request module.
4. Find templates (may request module).

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

fscrypt request_module() deadlock

2017-06-30 Thread Richard Weinberger 
Hi!

David and I faced a deadlock with switch_root when fscrypt was in use.
When /sbin/modprobe is encrypted using fscrypt and no other kernel component
requested an AES cipher before, first access to an encrypted file will trigger 
the
module_request() function, which will execute usermode helper /sbin/modprobe.
Is /sbin/modprobe also encrypted the kernel will deadlock because executing
it will again enter the module_request() path...

As workaround we currently do something like "ls /new_root > /dev/null" in our
initramfs to make request_module() happen before we change the root directory
to /new_root.

While this workaround is legit we think that this could be handled better.
Is there a way to request these ciphers before first usage? Herbert?
e.g. such that the filesystem can request them upon mount time.

Btw: This happens even when AES modules are builtins.

Thanks,
//richard

fscrypt request_module() deadlock

2017-06-30 Thread Richard Weinberger 
Hi!

David and I faced a deadlock with switch_root when fscrypt was in use.
When /sbin/modprobe is encrypted using fscrypt and no other kernel component
requested an AES cipher before, first access to an encrypted file will trigger 
the
module_request() function, which will execute usermode helper /sbin/modprobe.
Is /sbin/modprobe also encrypted the kernel will deadlock because executing
it will again enter the module_request() path...

As workaround we currently do something like "ls /new_root > /dev/null" in our
initramfs to make request_module() happen before we change the root directory
to /new_root.

While this workaround is legit we think that this could be handled better.
Is there a way to request these ciphers before first usage? Herbert?
e.g. such that the filesystem can request them upon mount time.

Btw: This happens even when AES modules are builtins.

Thanks,
//richard